Microsoft Exchange Server Hack: How to Protect Your Organisation

What Should I Do to Protect My Organisation Now?

If you have an on-premises version of Exchange Server 2013, 2016 or 2019, you need to patch it. Immediately. Patching the server will remove the vulnerability and prevent hackers from exploiting it to launch a cyber-attack on your organisation.

There’s a nuance here that’s worth exploring, though, and that’s the benefit of using software as a service (SaaS) applications rather than on-premises versions. As we stated earlier in this blog, Exchange Online wasn’t affected by this vulnerability.

However, if it had been an advantage of SaaS is that the vendor (in this case Microsoft) issues patches automatically as soon as they are released. This means you don’t have to patch manually, and minimises the window during which your organisation is vulnerable.

If you choose to invest in Microsoft cloud services, you’ll be leveraging the company’s $1 billion of annual investment in the latest cyber security technology and best practices. Microsoft truly is at the forefront of the cyber security revolution: every second, Microsoft gathers hundreds of gigabytes’ worth of telemetry, and this is brought to bear in it’s hyper secure Microsoft 365 and Azure offerings.

Something to consider. On that window though, even if you patched on 2^nd March there were still a whole two months during which you were vulnerable to the Microsoft Exchange Server hack. How can you establish if you have already been compromised?

How Can I Be Sure I Haven’t Already Been Compromised?

Our secure cloud experts have put together the following recommended steps to take to mitigate exposure and identify any indicators of compromise related to the Microsoft Exchange Server vulnerabilities. If you need support running through them, we can support you for a one-off fee – just email cyberclinic@6dg.co.uk.

Note: all scripts must be run as an administrator on each Exchange Server, regardless of whether a cluster set up is in place.

1. Run NMAP Scan to determine if the Exchange Server is vulnerable: https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse
2. Patch vulnerable servers to the recommended versions
3. Run scripts recommended by Microsoft: https://github.com/microsoft/CSS-Exchange/tree/main/Security (this link guides through the process of running scripts to identify indicators of compromise)
4. Review the script output for indicators of comprise, which should give confirmation if the server was compromised
5. In order to discover potential indicators of lateral movement across your infrastructure, which could further indicate compromise, the scripts below explore Active Directory (AD) for the creation or modification of Local Users and Groups: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617241(v=technet.10)?redirectedfrom=MSDN
   1. In PowerShell: $DateCutOff=(Get-Date).AddDays(-30) – (this will take today’s date and effectively add -30 days to it)
   2. To find newly created users: Get-ADUser -Filter * -Property whenCreated | Where {$_.whenCreated -gt $datecutoff} | FT Name, whenCreated -Autosize
   3. To find modified users: Get-ADUser -Filter * -Property whenChanged | Where {$_.whenChanged -gt $datecutoff} | FT Name, whenChanged -Autosize

Again, cyberclinic@6dg.co.uk is the address to email of you need support in running through these steps. Once completed, you will have identified potential compromises within your environment. But what about your suppliers, if they’re running Exchange Server 2013, 2016 or 2019?

What About My Suppliers? Is There a Supply Chain Risk?

Short answer, yes. The slightly longer answer though is that your organisation has never been more reliant on supply chains to deliver products and services to your end users. Whether it’s sourcing parts from suppliers, outsourcing functions like finance or marketing, or working with logistics firms to transport your products around the world, your supply chain is critical to your operational integrity.

Hackers know this, and will actively target organisations in your supply chain in order to disrupt your operations and gain a foothold into your environment. And even if they don’t target you through your supply chain, any disruptions to your suppliers resulting from a cyber-attack can cause significant collateral damage to you as a result.

Here are four straightforward steps you should take to understand and mitigate your supply chain risk:

• Survey your supply chain to gain a complete picture of the suppliers your organisation works with.
• Establish the key suppliers in your supply chain on which you rely most heavily, or who are most integrated with your organisation.
• Contact these key suppliers and ask them if they use Exchange Server 2013, 2016 or 2019 to establish if they are at risk.
• If they do, ask them to confirm how they have mitigated this risk.

You may well work with suppliers that integrate with and have access to you network. Pay special attention to these suppliers, as any compromises they suffer can project directly into your network and act as a launchpad for ransomware and business email compromise (BEC) attacks.

A BEC attack is, broadly speaking, a type of phishing email. What makes it so dangerous is its targeting and sophistication. BECs are most commonly targeted at individuals responsible for handling money within organisations, and through carefully thought out methods their aim is to trick the individual into transferring money to an offshore bank account.

BEC attacks require diligence to address, as they often use sophisticated social engineering to convince victims to part with their money. Part of your supply chain considerations should include diligence around suppliers you make payments to, ensuring processes are in place to double- and triple-check that every payment made is legitimate.

By establishing your supply chain risk, you can further minimise your exposure to disruption as a result of the Microsoft Exchange Server hack.

Reduce the Risk to Your Organisation

The Microsoft Exchange Server hack is something that all organisations should take seriously – even those that don’t run the affected versions of Exchange Server. In this blog we’ve provided an overview of how to minimise the associated cyber risk your organisation faces.

At Six Degrees we have the expertise and the experience to deliver tailored solutions that will enhance your organisation’s cyber security posture. But before we start, we always want to understand your organisation and where you are on your own cyber security journey. That’s why we offer a cyber security assessment that will give us – and you – the knowledge and tools to roadmap the next steps of your journey. Schedule a call if you want to learn more.

Our new Threat Flash is compiled by our Cyber Intelligence Team to update you on ransomware that has been observed actively exploiting the Microsoft Exchange Server vulnerability. The report provides details of the ransomware attacks, along with suggested mitigation steps to protect your organisation.